The & character in a CMD Prompt is command separator. It says "execute the command on the left of the & character, then execute the command to the right of the & when the left command has completed execution".
To get CMD to process that character as part of the URL, you would have to escape the & characters by preceding them with the ^ character:
set COMMANDLINE="curl -s grant_type=client_credentials^&client_id=%CLIENTID%^&client_secret=%CLIENTSECRET%^&resource=%RESOURCE%"
echo "Command line is %COMMANDLINE%"